Details
-
Type:
Bug
-
Status:
Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.0.0beta17
-
Component/s: Security and SSL
-
Labels:None
-
Environment:JDK 1.4
-
Number of attachments :
Description
The code that handles needClientAuth and wantClientAuth is flawed. First some education. An SSLServerSocket can have only one of three states with regards to requesting client authentication: 1. don't request it (the default), 2. request it (set via setWantClientAuth) but if not supplied then that's okay, or 3. require it (set via setNeedClientAuth). So if you were to call both methods, then only the latter takes effect. Jetty is calling both (first the "need", then "want" method). The result is that it is impossible to need client authentication. I think Jetty should do the following:
Store the needClientAuth and wantClientAuth values internally as Boolean objects (so that they can be null).
In newServerSocket, check to see if both are non-null and if so throw some sort of configuration error.
Only call either of the set methods if their respective field is non-null.
I'd rather Jetty do this, which is essentially just facilitating configuration of the SSL APIs, rather than logical reasoning of need vs want, trying to figure out what is intended. Now it does neither, it is broken.
One more thing... to observe I am right about this bug, simply debug Jetty setting the breakpoint to after both the set's are called. Configure Jetty to need client auth (and optionally set want client auth but it doesn't matter)... and evaluate "socket.getNeedClientAuth()" is false, no matter what you do. (I can do this easily with IntelliJ IDEA, perhaps you can dynamically invoke ad-hoc expressions during debugging with other IDEs.)